Preseeding Full Disk Encryption

If you've never worked with preseeding, this entire section of code
probably looks incredibly foreign. As preseeding in general is documented
well in a number of other places, I'm not going to bother breaking down
every setting here. Instead, let me highlight the settings that matter
for disk encryption. The most important one tells partman (the preseed
partition manager) to use encryption:

d-i partman-auto/method string crypto

Next, because preseeded encrypted partitions need to use LVM, I must add
LVM-specific preseed settings:

In the last of these settings, I told partman to create a new LVM volume
group named crypt that I will use to store my encrypted partitions.
Further down when I define my swap and root partitions, you can see where I
defined the logical volumes by name and set what volume group they are in:

Once these settings were in place, I was able to preseed an install and have
disk encryption be almost fully automated, except that the installer
prompted me for a passphrase, which I wanted.

The only missing piece to this automation was that the installer started
overwriting the existing disk with random information. Now, there are good
reasons why you may want to do this before setting up disk encryption, but
in this case, the disk was blank beforehand, and I didn't want to wait the
many hours it might take. Try as I might, no options to preseed this feature
away seemed to work. After poring through the partman code to find the
magic option, I finally resorted to patching the partman-crypto script
on the fly in the middle of the install so that it skipped the erase
process:

This is an ugly hack indeed, but it was the only way I was able to find
that worked. With that in place, I was able have an automated partitioning
recipe with full-disk encryption that skipped the disk-erasing section. My
hope is that the next time other people need to do this and do a search
on-line, they at least can find my article and the two other examples and
won't have to burn so much time.

Kyle Rankin is senior security and infrastructure architect, the author of
many books including Linux Hardening in Hostile Networks, DevOps Troubleshooting and The Official Ubuntu
Server Book, and a columnist for Linux Journal. Follow him @kylerankin